I prefer to do in in the "Input" firewall chain.
General Methodology is to only allow certain specific protocols/ports from certain specified IP ranges "allowed" in the INPUT chain of the router. Everything else is dropped via a final "drop everything" FW rule.
Input Chain Example Example:
add chain=input connection-state=invalid action=drop comment="Drop Invalid" disabled=no
add chain=input connection-state=established action=accept comment="Allow Established Connections" disabled=no
add chain=input connection-state=related action=accept comment="Allow Related Connections" disabled=no
add chain=input src-address=x.x.x.0/24 protocol=udp dst-port=53 action=accept comment="Accept DNS from local network" disabled=no
add chain=input protocol=tcp dst-port=80 src-address-list=C&C action=accept comment="Allow access from C&C List" disabled=no
add chain=input protocol=tcp dst-port=8291 src-address-list=C&C action=accept comment="" disabled=no
add chain=input protocol=udp dst-port=161 src-address-list=C&C action=accept comment="" disabled=no
add chain=input protocol=tcp dst-port=2000 src-address-list=C&C action=accept comment="Bandwidth Test" disabled=no
add chain=input protocol=icmp limit=50,2 action=accept comment="Allow Limited Pings" disabled=no
add chain=input src-address-type=broadcast action=accept comment="Accept Broadcast Traffic " disabled=no
add chain=input action=drop comment="Drop everything else" disabled=no
In my case the the (comand & control) C&C list is a short list of IP subnets and IP addresses from which access to the router is allowed... this makes it easier to add/change/delete IP's and subnets from the access list.
See also:
http://wiki.mikrotik.com/wiki/Securing_your_router
